Overview of security incidents for the period 17-23 July 2021
The scandal surrounding the Israeli spyware vendor NSO Group and its Pegasus program, accusations of hacking campaigns against the Chinese government, interesting vulnerabilities and ransomware attacks – read about all these events and more in our review.
One of the high-profile events of the week was the publication of a report by the French NGO Forbidden Stories and the human rights organization Amnesty International on the use of Pegasus spyware by governments in dozens of countries to spy on journalists, politicians and dissidents. The organizations obtained a list of 50,000 phone numbers from the Pegasus database. This list included, among other things, the phone number of the creator of the Telegram messenger Pavel Durov and French President Emmanuel Macron.
The release of the report raised many questions for Pegasus developer Israeli company NSO Group, which ultimately said it would not comment on Amnesty International and Forbidden Stories’ allegations of misuse of the company’s products.
This week, the US, UK, NATO and allied countries accused the Chinese government of organizing massive attacks on Microsoft Exchange servers, affecting tens of thousands of companies around the world.
The US authorities indicted four Chinese citizens for cyberattacks on companies, universities and government agencies in the US, Germany, Canada, South Africa, the UK, Austria, Switzerland, Saudi Arabia and several other countries from 2011 to 2018.
This week, the FBI and CISA reported that Chinese government-sponsored hackers infiltrated the computer networks of at least 13 pipeline operators in the United States between 2011 and 2013. The hackers did not try to interfere with the operations of the pipelines, they were more interested in information related to SCADA systems, lists of employees, credentials and manuals for managing systems.
In addition, the French cybersecurity agency ANSSI warned of attacks by the hacker group APT31 (Zirconium), allegedly working for China, on an organization in France. Attackers use a network of compromised home and office routers to mask the source of an attack. The APT31 group is one of two Chinese APTs (the second is APT40), which the United States and allied countries have accused of large-scale attacks on Microsoft Exchange servers.
In light of recent events, Israeli Prime Minister Naftali Bennett called on the world community to create a global platform to defend against cyberattacks. In his opinion, it is the global shield that will become the best protection of states, their citizens and various departments from various cyber threats.
Specialists from SonicWall and CISA warned users about a malicious campaign organized by the operators of the HelloKitty ransomware. Attackers target Secure Mobile Access (SMA) 100 and Secure Remote Access (SRA) devices that have reached the End of Life (EOL). During the attacks, hackers exploit a vulnerability in the firmware, which has been fixed in newer versions.
Another CISA warning released this week concerns attacks that exploit vulnerabilities in Pulse Secure devices. The attacks, which began in April this year, targeted defence, government and financial organizations in the United States and elsewhere.
Cybercriminal group ZeroX has stolen 1 TB of confidential data belonging to the world’s largest oil company Saudi Aramco and put it up for sale on the darknet. The attackers offer Saudi Aramco data for an initial price of $ 5 million. The group did not explain which vulnerability was used to access Saudi Aramco’s networks, but instead called it a “zero-day exploitation.”
Unfortunately, the past week has not been without ransomware attacks. In particular, the ransomware attack on the American provider of cloud hosting and integrated IT infrastructure management services Cloudstar disrupted the activities of hundreds of companies, and another ransomware attack caused a malfunction of the ticket machines of the British state railway company Northern Trains.
The American IT company Kaseya three weeks ago suffered from an attack by the ransomware group REvil, reported that it received a universal decryptor for recovering encrypted data. Initially, the REvil group offered the decryptor at a price of $ 70 million but then reduced the amount to $ 50 million. It is unclear whether Kaseya paid the ransom, or the company managed to obtain the decryption key in some other way.
South African state-owned logistics company Transnet has allegedly been the victim of a cyberattack. Transnet said container terminals suffered from disruptions while the rail freight, pipeline, engineering and property divisions were operating as normal.
ReversingLabs discovered in the NPM repository two malicious NPM packages capable of stealing credentials from Google Chrome browsers on Windows systems, as well as installing a backdoor for further spyware activity. Packages (nodejs_net_server and temptesttempfile) have been in the repository since 2018, with a total of more than 2,000 downloads.
Qualys experts have announced a new vulnerability in Linux, which allows you to get superuser rights on most distributions, in particular Ubuntu, Debian and Fedora.
The issue (CVE-2021-33909), dubbed Sequoia, is contained in the Linux filesystem and is an out-of-bounds read vulnerability. According to experts, the problem is related to incorrect processing of the file name length. With its help, an unprivileged local user can run the code with superuser rights.
Cybersecurity researchers have discovered a vulnerability in a common print driver used by major manufacturers such as HP, Xerox and Samsung.
The issue, identified as CVE-2021-3438, has existed in the code since 2005 and affects millions of printers produced in the past 16 years, specifically more than 380 different HP and Samsung printers, and at least 12 Xerox device models.
Catch up on more articles here
Follow us on Twitter here